Last weekend, the Canada Revenue Agency (CRA) was forced to temporarily suspend its online services due to not one, but two, hacking attempts. Services impacted included those that would give Canadians access to the country’s COVID-19 emergency benefits programs. Hackers used stolen usernames and passwords of more than 5000 individuals to illegally obtain government services and compromise personal information.
This most recent attack comes on the heels of last month’s news that Russian hackers had tried to obtain coronavirus research from governments in Canada, the U.S. and UK. As the pandemic forces organizations, governments, businesses and individuals to move even more sensitive information to online platforms, that information may be more vulnerable to online hacking attempts.
We asked Nur Zincir-Heywood, a professor in Dal’s Faculty of Computer Science, to explain how information can be protected through enhanced cyber-security mechanisms and what organizations and individuals can do to help protect confidential and personal information stored online.
Can you explain what cyber security is and how the government could have better protected Canadians’ information in this most recent hacking attempt?
Cyber security is protecting our systems, networks, programs and data against digital (cyber) attacks. Most of the time these attacks include accessing, changing, or deleting sensitive information; stealing / obtaining (ransom) money from organizations / users or interrupting legitimate user activity of organizations such as businesses and governments.
Recently, the government of Canada’s GCKey service and CRA accounts were under cyber-attacks called credential stuffing. Credential stuffing attacks make use of previously stolen username / password pairs. These pairs are automatically entered into websites until they are potentially matched to an existing account on a given web site, which the attacker can then hijack for their own purposes.
So, in this case, the problem was two-fold: first, users use the same password across multiple web sites for different services; and secondly the website has a vulnerability that enables the attacker to automate injecting (entering) multiple username / password pairs in a brute force fashion.
This means that if the users were not using the same password across multiple web sites and services, the attacks would not have been successful. Also, if the website was not vulnerable, the attack would not have been possible.
What lessons can governments, businesses and individuals learn from these types of cyber-attacks and what steps can they take to better protect personal and sensitive information?
Individual users should always set strong and unique passwords across different online services and web sites they use. In other words, they should never re-use the same password on more than one web site or online service (app). They should always choose strong passwords and change their passwords regularly.
Organizations such as governments and businesses should perform vulnerability analysis and penetration testing regularly to minimize any potential abuses. Strong authentication mechanisms — from multi-factor authentication to requiring unpredictable usernames — the use of CAPTCHA technologies and device fingerprinting could also help defending against these attacks. Finally, governments and businesses need to notify users about any (big or small) data breeches and unusual security events, given that information obtained in such breeches / events could later be used for other fraudulent activities.
What should Canadians do if they think their personal information has been compromised by hackers?
If Canadians think their personal information has been compromised, they should immediately change their username / password pairs, watch out for any unusual activity on their banking and credit card accounts and contact their service provider. For these recent attacks on GCKey service and CRA accounts, the Government of Canada provides the following contact information: Canada.ca and/or 1-800-O-Canada.